Centos / Sssd和Ldap TLS加密和其他问题

时间:2018-08-06 12:43:50

标签: centos7 openldap sssd

我有389个目录ldap服务器。我的基础架构上有基于debian和redhat的服务器。

我对Ubuntu 14-16版和Centos 6服务器没有问题。但是我在Centos 7.x版本中使用sssd和ldap服务时遇到问题。

我的所有更改均在下面逐步列出。我找不到丢失或错误的内容。我要疯了。

亲爱的社区,我需要您的帮助。我知道那太久了。

[root@ldap-test-client]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

[root@ldap-test-client]$ uname -a
Linux ldap-test-client 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

包装信息;

[root@ldap-test-client]$ yum list installed |grep sssd
Failed to set locale, defaulting to C
python-sssdconfig.noarch              1.16.0-19.el7_5.5                @updates
sssd.x86_64                           1.16.0-19.el7_5.5                @updates
sssd-ad.x86_64                        1.16.0-19.el7_5.5                @updates
sssd-client.x86_64                    1.16.0-19.el7_5.5                @updates
sssd-common.x86_64                    1.16.0-19.el7_5.5                @updates
sssd-common-pac.x86_64                1.16.0-19.el7_5.5                @updates
sssd-ipa.x86_64                       1.16.0-19.el7_5.5                @updates
sssd-krb5.x86_64                      1.16.0-19.el7_5.5                @updates
sssd-krb5-common.x86_64               1.16.0-19.el7_5.5                @updates
sssd-ldap.x86_64                      1.16.0-19.el7_5.5                @updates
sssd-proxy.x86_64                     1.16.0-19.el7_5.5                @updates

[root@ldap-test-client]$ ps aux |grep sssd
root       697  0.0  0.5 282124  6036 ?        Ss   11:09   0:00 /usr/sbin/sssd -i --logger=files
root       709  0.0  0.9 306216  9636 ?        S    11:09   0:00 /usr/libexec/sssd/sssd_be --domain LDAP --uid 0 --gid 0 --logger=files
root       715  0.0  2.9 289932 29996 ?        S    11:09   0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root       716  0.0  0.5 269592  5520 ?        S    11:09   0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
testuser+  1391  0.0  0.0 112676   728 pts/0    R+   11:17   0:00 grep --color=auto sssd

sssd和ldap配置

[root@ldap-test-client]$ pwd
/etc/sssd


[root@ldap-test-client]$ ll
total 8
drwx--x--x. 2 sssd sssd  23 Aug  6 11:19 conf.d
-rw-------  1 root root 933 Aug  6 11:31 sssd.conf


[root@ldap-test-client]$ cat sssd.conf
[domain/LDAP]

autofs_provider = ldap
cache_credentials = true
ldap_search_base = dc=domain,dc=com
ldap_user_search_base = ou=People,dc=domain,dc=com
ldap_group_search_base = ou=groups,dc=domain,dc=com
ldap_sudo_search_base = ou=sudoers,dc=domain,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldapserver.domain.com:389
ldap_id_use_start_tls = true
#ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_schema = rfc2307bis
#ldap_auth_disable_tls_never_use_in_production = true
#use_fully_qualified_names = True
#enumeration = False
debug_level = 9


[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ldap

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
#entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[autofs]


[root@ldap-test-client]$ cat /etc/openldap/ldap.conf /etc/ldap.conf /etc/ssh/ldap.conf
#TLS_CACERTDIR /etc/openldap/cacerts
#TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT never
TLS never
URI ldap://ldapserver.domain.com:389
BASE ou=People,dc=domain,dc=com

ssh和nsswitch配置

[root@ldap-test-client]$ pwd
/etc/ssh


[root@ldap-test-client]$ cat sshd_config-edit
Port 22
Protocol 2

SyslogFacility AUTHPRIV
LogLevel INFO

LoginGraceTime 15
PermitRootLogin no
MaxAuthTries 6

HostbasedAuthentication no
IgnoreRhosts yes

PermitEmptyPasswords no
PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
X11Forwarding no
PermitUserEnvironment no
ClientAliveInterval 1800
ClientAliveCountMax 1
Subsystem   sftp    /usr/libexec/openssh/sftp-server


[root@ldap-test-client]$ cat ssh_config
Host *
    GSSAPIAuthentication yes
    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    SendEnv XMODIFIERS



[root@ldap-test-client]$ cat /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files sss
netmasks:   files sss
networks:   files sss
protocols:  files sss
rpc:        files sss
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

sudoers:    files sss
sudoers: files sss


[root@ldap-test-client]$ telnet ldapserver.domain.com 389
Trying 192.168.0.165...
Connected to 192.168.0.165.
Escape character is '^]'.

pam.d系统身份验证和密码身份验证配置

[root@ldap-test-client]$ pwd
/etc/pam.d


[root@ldap-test-client]$ cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


[root@ldap-test-client]$ cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

sssd和审核服务日志

[root@ldap-test-client]$ tail -f /var/log/sssd/*
==> /var/log/sssd/ldap_child.log <==

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #2]: New request. Flags [0x0001].
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #2]: Receiving request data.
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #2]: Finished. Backend is currently offline.
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #2]: Request removed.
(Mon Aug  6 15:34:41 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd.log <==

==> /var/log/sssd/sssd_nss.log <==
(Mon Aug  6 15:34:41 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

==> /var/log/sssd/sssd_pam.log <==

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #3]: New request. Flags [0x0001].
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #3]: Receiving request data.
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #3]: Finished. Backend is currently offline.
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #3]: Request removed.
(Mon Aug  6 15:34:48 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Aug  6 15:34:48 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #4]: New request. Flags [0x0001].
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #4]: Receiving request data.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #4]: Finished. Backend is currently offline.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #4]: Request removed.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Aug  6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #5]: New request. Flags [0x0001].
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #5]: Receiving request data.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #5]: Finished. Backend is currently offline.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Aug  6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #6]: New request. Flags [0x0001].
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #6]: Receiving request data.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #6]: Finished. Backend is currently offline.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Aug  6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

==> /var/log/sssd/sssd_LDAP.log <==
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x56174ff78030
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@ldap]
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #7]: New request. Flags [0x0001].
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #7]: Receiving request data.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #7]: Finished. Backend is currently offline.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::LDAP:name=testuser@ldap] from reply table
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #7]: Request removed.
(Mon Aug  6 15:34:49 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Aug  6 15:34:49 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

我正在尝试使用“ ssh testuser @ ldap-test-client”命令进行ssh连接。 ssh请求位于服务器的审核日志中。

[root@ldap-test-client]$ tail -f audit.log
type=CRYPTO_KEY_USER msg=audit(1533557907.241:533): pid=2043 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:13:c9:73:32:4e:40:e6:23:fa:01:94:01:1d:06:75:ee:40:cb:36:a8:4a:b2:b8:15:5c:d1:a5:bb:eb:80:d8:03 direction=? spid=2043 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1533557907.241:534): pid=2043 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:39:21:b3:e2:23:1d:49:5a:d9:b9:b2:c5:6a:24:01:df:45:89:fb:91:c5:19:61:43:ff:71:29:6f:1e:a7:32:fd direction=? spid=2043 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1533557907.241:535): pid=2043 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4a:94:74:27:67:91:8a:07:15:8f:d3:af:f7:2c:92:b4:25:4a:bd:5b:ae:78:82:5a:71:01:03:2c:0a:15:e2:c6 direction=? spid=2043 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1533557907.305:536): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=2043 suid=74 rport=53218 laddr=192.168.0.220 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.212.134.201 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1533557907.305:537): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=2043 suid=74 rport=53218 laddr=192.168.0.220 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.212.134.201 terminal=? res=success'


**The following lines appear after entering the password.**

type=USER_AUTH msg=audit(1533557924.276:538): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="?" exe="/usr/sbin/sshd" hostname=10.212.134.201 addr=10.212.134.201 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1533557926.436:539): pid=2042 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=10.212.134.201 terminal=ssh res=failed'

我的ldap连接测试;

[root@ldap-test-client]$ id testuser
uid=11000(testuser) gid=10010(sysmaster) groups=10010(sysmaster)


[root@ldap-test-client]$ ldapsearch -x -H ldap://ldapserver.domain.com:389 -b uid=testuser,ou=People,dc=domain,dc=com -s base -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=domain,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, People, domain.com
dn: uid=testuser,ou=People,dc=domain,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
gidNumber: 10010
uidNumber: 11000
mail: testuser@domain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: ldappublickey
objectClass: hostobject
objectClass: sudoers
objectClass: sudorole
uid: testuser
cn: Test User
homeDirectory: /home/testuser
host: ALL
sudoHost: ALL
sudoCommand: ALL
sudoOption: !aunthenticate

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

0 个答案:

没有答案